<html>
<head><meta charset="utf-8"><title>rustsec.org gh-pages branch · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html">rustsec.org gh-pages branch</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="222581295"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/222581295" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#222581295">(Jan 13 2021 at 13:50)</a>:</h4>
<p>FYI, I merged the web site into the <code>advisory-db</code> repo, under a <code>gh-pages</code> branch: <a href="https://github.com/RustSec/advisory-db">https://github.com/RustSec/advisory-db</a></p>



<a name="222581368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/222581368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#222581368">(Jan 13 2021 at 13:50)</a>:</h4>
<p>the advisories are presently missing... going to wire up automatic regeneration on merge</p>



<a name="222581379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/222581379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#222581379">(Jan 13 2021 at 13:50)</a>:</h4>
<p>rather than a timer like before</p>



<a name="222583720"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/222583720" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#222583720">(Jan 13 2021 at 14:07)</a>:</h4>
<p>nice: <a href="https://github.com/RustSec/advisory-db/pull/560">https://github.com/RustSec/advisory-db/pull/560</a></p>



<a name="222583867"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/222583867" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#222583867">(Jan 13 2021 at 14:08)</a>:</h4>
<p>Would it make sense to just push directly and not even do a PR?</p>



<a name="222584927"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/222584927" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#222584927">(Jan 13 2021 at 14:16)</a>:</h4>
<p>Yeah... just wanted to get it working (again) first but now it should be a lot easier to explore alternatives</p>



<a name="223163359"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223163359" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223163359">(Jan 18 2021 at 20:59)</a>:</h4>
<p>Seems to work like a charm! Thanks for setting this up!</p>



<a name="223244319"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223244319" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223244319">(Jan 19 2021 at 15:38)</a>:</h4>
<p>Seems like I got it going just in time as there are a ton of advisory reports</p>



<a name="223368671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223368671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223368671">(Jan 20 2021 at 12:57)</a>:</h4>
<p>I think I need to prepare some texts that we can post on upstream issues. Especially in cases where the advisory is up but the issue is still not fixed. I'll see if I can write something up.</p>



<a name="223421335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223421335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223421335">(Jan 20 2021 at 19:17)</a>:</h4>
<p>I'm merging all outstanding advisories with patches now, but I believe advisories without patches should be handled with more care. I won't merge them in bulk just yet. cc <span class="user-mention" data-user-id="329529">@Yechan Bae</span></p>



<a name="223423157"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223423157" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223423157">(Jan 20 2021 at 19:32)</a>:</h4>
<p>Ah, I got the advisory db into inconsistent state... let me fix that...</p>



<a name="223423887"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223423887" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223423887">(Jan 20 2021 at 19:37)</a>:</h4>
<p>Sounds reasonable. Thank you for the managing effort :)</p>



<a name="223424236"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223424236" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223424236">(Jan 20 2021 at 19:40)</a>:</h4>
<p>Okay, I un-broke the advisory DB. Whew.</p>



<a name="223424262"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223424262" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223424262">(Jan 20 2021 at 19:40)</a>:</h4>
<p>Duplicate IDs were assigned somehow</p>



<a name="223424330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223424330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223424330">(Jan 20 2021 at 19:41)</a>:</h4>
<p>Hmm, how can we prevent breaking the advisory DB in the future? I assume the problem is 2 assignment PRs that both assign the same ID?</p>



<a name="223424534"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223424534" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Steven Fackler <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223424534">(Jan 20 2021 at 19:42)</a>:</h4>
<p>You can change the branch protection settings to require that PRs be up to date with respect to their target branch to be able to land</p>



<a name="223424572"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223424572" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Steven Fackler <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223424572">(Jan 20 2021 at 19:43)</a>:</h4>
<p>or alternatively restructure the file layout so that duplicate IDs force merge conflicts</p>



<a name="223424836"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223424836" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223424836">(Jan 20 2021 at 19:45)</a>:</h4>
<p>Yeah, I think branch protection would have prevented this.</p>



<a name="223425357"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223425357" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223425357">(Jan 20 2021 at 19:49)</a>:</h4>
<p>I want to write a nice message on the issue tracker letting the author know that we've issued an advisory, but my brain is not cooperating today. I've posted what scraps I have so far here, and opened editing to everyone: <br>
<a href="https://hackmd.io/_4CmY8AAQ1Ks8D7KIDTXmg">https://hackmd.io/_4CmY8AAQ1Ks8D7KIDTXmg</a></p>



<a name="223425388"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223425388" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223425388">(Jan 20 2021 at 19:49)</a>:</h4>
<p>The goal is to have something we can post on issues where there's no fix, or fix is only in git.</p>



<a name="223425998"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223425998" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223425998">(Jan 20 2021 at 19:54)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch/near/223424236">said</a>:</p>
<blockquote>
<p>Okay, I un-broke the advisory DB. Whew.</p>
</blockquote>
<p>fwiw it's a little unnerving having sec advisories blow up ones notifications <span aria-label="joy" class="emoji emoji-1f602" role="img" title="joy">:joy:</span></p>



<a name="223426249"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223426249" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223426249">(Jan 20 2021 at 19:55)</a>:</h4>
<p>Which notifications were those?</p>



<a name="223426441"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223426441" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223426441">(Jan 20 2021 at 19:57)</a>:</h4>
<p>the ones on GH</p>



<a name="223426621"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223426621" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223426621">(Jan 20 2021 at 19:58)</a>:</h4>
<p>for every merge</p>



<a name="223426899"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223426899" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223426899">(Jan 20 2021 at 20:00)</a>:</h4>
<p>Oh I see <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>



<a name="223427448"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223427448" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223427448">(Jan 20 2021 at 20:04)</a>:</h4>
<p>FWIW, a solution I've used at $work in past is to have a control file that you bump any time you change something (and CI which verifies you do this) and then you get conflicts between two different updates to this.</p>



<a name="223427656"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223427656" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223427656">(Jan 20 2021 at 20:05)</a>:</h4>
<p>Oooh, that sounds like a very good solution!</p>



<a name="223427774"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223427774" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223427774">(Jan 20 2021 at 20:06)</a>:</h4>
<p>Hmm, I think Github Pages is still sligthly broken - it shows two <code>RUSTSEC-2020-0110</code> advisories even though I've deleted one of them.</p>



<a name="223430302"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223430302" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223430302">(Jan 20 2021 at 20:26)</a>:</h4>
<p>We can do <code>tree | sha256</code> to get a hash of all the filenames in the repo, and store that as a file. That way we don't have to bother with counters and them potentially arriving to the same value. And this should result in a merge conflict if there are two concurrent runs that have different results</p>



<a name="223432810"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223432810" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223432810">(Jan 20 2021 at 20:46)</a>:</h4>
<p>Another alternative is to test the IDs are unique in CI, and use bors to ensure it always passes</p>



<a name="223432835"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223432835" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223432835">(Jan 20 2021 at 20:47)</a>:</h4>
<p>But the low tech solution of a file you bump is probably easier</p>



<a name="223452900"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223452900" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223452900">(Jan 20 2021 at 23:43)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> which one needs to be deleted? It needs to be removed from the <code>gh-pages</code> branch</p>



<a name="223455813"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223455813" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223455813">(Jan 21 2021 at 00:22)</a>:</h4>
<p>Regarding duplicate ID assignments, that sounds like a bug in <code>rustsec-admin</code></p>



<a name="223497019"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223497019" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223497019">(Jan 21 2021 at 11:42)</a>:</h4>
<p>It's all good now, so I assume you've fixed it, or gh-pages was just updating with a large delay</p>



<a name="223549529"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223549529" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223549529">(Jan 21 2021 at 18:20)</a>:</h4>
<p>The duplicated ID issue I caused last night had some fascinating fallout: <a href="https://www.reddit.com/r/rustjerk/comments/l1habt/just_had_a_nsfw_failure_in_cargo_audit/">https://www.reddit.com/r/rustjerk/comments/l1habt/just_had_a_nsfw_failure_in_cargo_audit/</a></p>



<a name="223551436"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223551436" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223551436">(Jan 21 2021 at 18:34)</a>:</h4>
<p>Funny as it is, this was an outage for the service. And it was caused not even by the duplicate IDs, but by my commit fixing them not being signed. <br>
<span class="user-mention" data-user-id="132721">@Tony Arcieri</span> does the current automation trust a certain set of signing keys, or does it require the commit to be signed at all, regardless of the key used?</p>



<a name="223551486"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223551486" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223551486">(Jan 21 2021 at 18:35)</a>:</h4>
<p>the latter, for now</p>



<a name="223551734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223551734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223551734">(Jan 21 2021 at 18:36)</a>:</h4>
<p>That sounds like it does nothing useful, and has caused a brief outage. I suggest either requiring a specific set of keys, or disabling it altogether.</p>



<a name="223552333"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223552333" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223552333">(Jan 21 2021 at 18:41)</a>:</h4>
<p>Probably the latter, because key management is hard, and there should be some security coming from the HTTPS the database is cloned from</p>



<a name="223552436"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223552436" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223552436">(Jan 21 2021 at 18:41)</a>:</h4>
<p>Commit signatures alone do not protect from presenting the client with a valid but vastly outdated version of the database, for example.</p>



<a name="223554398"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223554398" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223554398">(Jan 21 2021 at 18:56)</a>:</h4>
<p>I've opened a PR with the low-tech solution for duplicate ID assignment suggested by Alex: <a href="https://github.com/RustSec/advisory-db/pull/641">https://github.com/RustSec/advisory-db/pull/641</a></p>



<a name="223604822"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223604822" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223604822">(Jan 22 2021 at 05:17)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch/near/223427774">said</a>:</p>
<blockquote>
<p>Hmm, I think Github Pages is still sligthly broken - it shows two <code>RUSTSEC-2020-0110</code> advisories even though I've deleted one of them.</p>
</blockquote>
<p>Now there is no advisory that is assigned RUSTSEC-2020-0110, but we have advisories with ID bigger than that. Is this intended or not?</p>



<a name="223627248"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223627248" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223627248">(Jan 22 2021 at 11:01)</a>:</h4>
<p>Sort of? It's not ideal, but I didn't expect anything to immediately break after that, so I left it as-is for now. I can manually assign that number to a new advisory in case the non-contiguous ID space is an issue.</p>



<a name="223687237"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/223687237" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#223687237">(Jan 22 2021 at 19:29)</a>:</h4>
<p>Well, at least the low-tech solution doesn't break things in absence of conflicts. It has been tested in production today.</p>



<a name="225215567"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225215567" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225215567">(Feb 04 2021 at 20:10)</a>:</h4>
<p>oh neat. <code>actions/checkout@v2</code> logs you into git so I guess you can just commit and push from the action with nothing else necessary</p>



<a name="225215852"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225215852" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225215852">(Feb 04 2021 at 20:12)</a>:</h4>
<p>That'd be great! I'm a bit tired of those PRs for updating the website, I guess we can start there without risking widespread CI breakage.</p>



<a name="225216695"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225216695" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225216695">(Feb 04 2021 at 20:18)</a>:</h4>
<p><a href="https://github.com/RustSec/advisory-db/pull/754/files">https://github.com/RustSec/advisory-db/pull/754/files</a></p>



<a name="225216890"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225216890" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225216890">(Feb 04 2021 at 20:20)</a>:</h4>
<p>hrmm, didn't work: <a href="https://github.com/RustSec/advisory-db/runs/1833898729?check_suite_focus=true">https://github.com/RustSec/advisory-db/runs/1833898729?check_suite_focus=true</a></p>



<a name="225222273"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225222273" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225222273">(Feb 04 2021 at 21:05)</a>:</h4>
<p><a href="https://github.com/actions/checkout#push-a-commit-using-the-built-in-token">https://github.com/actions/checkout#push-a-commit-using-the-built-in-token</a></p>



<a name="225223453"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225223453" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225223453">(Feb 04 2021 at 21:14)</a>:</h4>
<p>looks good now: <a href="https://github.com/RustSec/advisory-db/runs/1834222874?check_suite_focus=true">https://github.com/RustSec/advisory-db/runs/1834222874?check_suite_focus=true</a></p>



<a name="225349174"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225349174" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225349174">(Feb 05 2021 at 20:03)</a>:</h4>
<p>it worked! <span aria-label="tada" class="emoji emoji-1f389" role="img" title="tada">:tada:</span>  <a href="https://github.com/RustSec/advisory-db/commit/81ba31ef02d639141f15e0244526e334ae96a43a">https://github.com/RustSec/advisory-db/commit/81ba31ef02d639141f15e0244526e334ae96a43a</a></p>



<a name="225350726"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225350726" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225350726">(Feb 05 2021 at 20:15)</a>:</h4>
<p>Yay! <span aria-label="tada" class="emoji emoji-1f389" role="img" title="tada">:tada:</span></p>



<a name="225351821"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/225351821" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#225351821">(Feb 05 2021 at 20:25)</a>:</h4>
<p>Nice!</p>



<a name="229124250"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/229124250" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#229124250">(Mar 06 2021 at 19:56)</a>:</h4>
<p>Just merged this to move <a href="https://rustsec.org">https://rustsec.org</a> onto an all-Rust (Jekyll-free) rendering stack: <a href="https://github.com/RustSec/advisory-db/pull/810">https://github.com/RustSec/advisory-db/pull/810</a></p>



<a name="229124257"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/229124257" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#229124257">(Mar 06 2021 at 19:56)</a>:</h4>
<p>brief outage. mea culpa <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>



<a name="229124275"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/229124275" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#229124275">(Mar 06 2021 at 19:57)</a>:</h4>
<p>this should hopefully fix all the escaping bugs</p>



<a name="229124352"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/rustsec.org%20gh-pages%20branch/near/229124352" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/rustsec.2Eorg.20gh-pages.20branch.html#229124352">(Mar 06 2021 at 19:58)</a>:</h4>
<p>looks like it so far</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>